Jump to content


preventing about:blank

  • Please log in to reply
3 replies to this topic

#1 Legion5



  • Full Member
  • Pip
  • 16 posts

Posted 30 June 2004 - 12:28 AM

Ok I know how about:blank is spread, there are essentialy 2 ways.

1. Is through the Overnet file sharing program, Overnet is Ad supported and even with the registered version there is half a second there where the add will show up. I use it mostley for abandoneware, as I am an enthrusiast of that but in anycase, the spammers hijack the adds and make them display a pop up window.

The window usualy displays some bogus javascript info, which anyone with half a mind could display (there is a great jpg image that displays your IP Address is in the image itself, but I unfortunatley I never saved the link, ilustrates this rather nicley).

It then goes on to say 99% chance you have spyware installed click here to remove!

Which it then links to its own spam pages.

2. The second way is from variouse sites that display pop up adds, which ever they be these spam "remove spyware" adds are also displayed here.

Besides this no other add supported program displays these adds, that I am aware of so if you got it, its from a remove spyware add.


about:blank deos 3 things that I know of, it changes your search start etc. pages, it instals a spam .css style sheet replacing the default internet explorer page about:blank. It then installs search.ex and a .dll who's name escapes me (feel free to correct me).

To remove it you have to do 3 things.

use HijackThis to remove the registry edits it made to change your start page etc.

use CWShreader to remove search.ex

use AdAware on MANUAL mode scanning every single file on your system (very lengthy espetialy if you have a large HDD .48 terabytes uncompressed on 2, 120gb hdd's (I run win2k Pro btw)), to remove the .dll which reinstalls it. It will also probably fix the rest of the registy hacks, these being 'possible browser hijacks' as classified by it.


Now my question is:


I have been Hijacked by this most likley 20 or more times, how do I prevent it from re-installing and how deos it install.?

Former version of CW, CoolWebs Virus have installed through MS Virtual Machine(the default Java code plug-in by microsoft), according to the FAQ Sun Microsystems Java solves the problem, and has more secure code which prevents the virus code (or program if it can be called that) from installing, I have removed both java plug-ins as frankley they aren't used that often by websites, in any case how is it still intalling if it deos not exploit the Microsoft VM, non byte verifier Java plug-in?, and again how do I prevent it from re-installing/infecting?-

#2 Legion5



  • Full Member
  • Pip
  • 16 posts

Posted 01 July 2004 - 12:31 AM


#3 The Fist

The Fist


  • Full Member
  • Pip
  • 50 posts

Posted 01 July 2004 - 07:04 AM

Please download Hijack This into its own permanent directory (e.g. c:\HJT) and run it. Then post a copy of the Hijack This log on your next posting. There are different ways of getting rid of About:Blank depending on you OS and other factors.

The Fist

#4 Mrfullsrvc



  • Full Member
  • Pip
  • 10 posts

Posted 01 July 2004 - 04:48 PM

Here is another solution for fixing the about:blank problem.

I fought with this virus for a week and a half. It might be a Win32MerstingB trojan. I believe it also contains variations of the CWS trojan too. Here are some useful sites and some information to help you get rid of it.

From ca's website: "Win32.Mersting is a trojan that is used to change a user's default Internet Explorer homepage and/or default search page that may also download other components and add pornography related Favorites to Internet Explorer."

Turns out it can enter your system through the Microsoft Java Virtual Machine. I had all the latest updates from Microsoft and it didn't stop it.

Aside from running the CWS shredder, Spybot, Adaware, pest patrol and an antivirus program, there are a couple of other things you can do too.

My antivirus program (eztrust from cai) would stop it from executing, but it wouldn't remove it. Below are some websites explaining what it is and a couple of ways to remove it.

To see information about it, go to:


For information on the Reg Start page, go to:


Trend micros removal too for this particular mofo is at:


I have a command file (.cmd) named delmer.cmd that will remove it for you too that was sent to me from CAI. If anyone needs it, email me and I can send it to you. You'll need software to be able to decode mime files tho. For anyone who knows how to create a command file, below is the contents of that command file:

@echo off
rem Grant everyone full access to the file
echo y| cacls.exe %1 /g everyone:f
rem Access the file to trigger resident protection
type %1 > nul
rem Wait 10 seconds to allow system clean to run
delay 10
rem In case system clean didn't run, delete the file manually
del /q /f %1

Make sure that once you run the command file, or the fixtool from Trend Micro that you turn off the system restore if you're using Win Me or XP. You'll need to reboot before the computer deletes all the system restore points. Your antivirus will detect the virus if you don't turn the system restore off.

I hope this will help everyone who went thru the nightmare I've gone thru too!!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button